Secure non-invasive method and system for distribution of digital assets

ABSTRACT

A server computer system outputs a downloader component to a client computer. The downloader component enables the client computer to download an encrypted file. After outputting the downloader component, the server computer system cooperates with the downloader component to output the encrypted file to the client computer. The server computer system outputs a user profile to the client computer. The user profile contains a key to decrypt the encrypted file into a digital content item. The server computer system outputs a file management component to the client computer. The file management component is to manage usage of the encrypted file at the client computer based on one or more terms of usage associated with the encrypted file.

FIELD OF THE DISCLOSURE

The present disclosure is generally related to methods and systems fordistributing digital assets and enforcing rights on the digital assets.

BACKGROUND

The advent of the Internet has made protection of intellectual propertya priority for software and digital media providers. As bandwidth hasbecome more plentiful, the Internet has been used for unauthorizeddownloading of music, movies and pirated copies of software. This misusehas led to loss of revenues for software and media producers.

Similar distribution challenges are associated with delivery ofclassified and confidential information. Organizations may wish to limitactivities that employees can perform using confidential documents andapplications.

To mitigate unauthorized downloading and copying of the digital assets,some methods and systems for protecting digital assets have emerged.Available methods and systems include encryption infrastructuresolutions, viewer lockup solutions, and Digital Rights Management (DRM)solutions.

Encryption infrastructure solutions typically require a correspondingproprietary plug-in for each application, including databases and filesystems, to guarantee enforcement. Thus, an end user may be required toinstall multiple proprietary plug-ins in his/her computer to handlemultiple applications. Encryption infrastructure solutions typically usea public key infrastructure (PKI) to manage public keys for encryption.Encryption infrastructure solutions are relatively difficult andexpensive to deploy and maintain.

Viewer lockup solutions use a plug-in to lock information in a viewerprogram. For each viewer program that is to display or otherwise outputdigital assets, a corresponding plug-in is required. Thus, an end usermay need multiple viewer lockup solutions in his/her computer to handlemultiple viewer programs.

DRM solutions, which are usually embedded in an application or areotherwise application-specific, enable an administrator to regulatedownloads and usage of digital assets. Existing standards to supportdigital rights include extensible rights markup language (XrML) and opendigital rights language (ODRL). However, implementations based onexisting standards are usually proprietary.

Online distributors of computer gaming software may attempt to makecopying and reuse of their software difficult by decomposing thesoftware into components. This approach may be undesirably expensive andlimiting to an inventory of products.

In some broadcasting applications, owners' rights are preserved inhardware that may contain a proprietary scrambling algorithm. In thiscase, users who wish to receive the broadcasts may be required to buy orotherwise acquire receivers produced by a certain hardware maker. Thislimits consumer choices and availability of services.

Shortcomings of the aforementioned methods and systems include theirlimitation to a particular application or a particular type of digitalasset, their being too invasive by requiring a user to install orconfigure a client program to enforce the protection of the digitalassets, and/or their being excessively complex to provide a reliablesolution. Further, the client program to enforce the protection of thedigital assets may not be successful because this enforcement is moreimportant to enforcers than end users. Still further, many digitalrights enforcement systems are resource-intensive and costly.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a flow chart of an embodiment of a method to distributedigital assets and enforce rights associated with the digital assets;

FIG. 2 is a block diagram of an embodiment of a system to distributedigital assets and enforce rights associated with the digital assets;

FIG. 3 is a block diagram of file management features associated witheach downloadable file;

FIG. 4 is a block diagram of an embodiment of components of a servercomputer system;

FIG. 5 is a block diagram of an embodiment of components of a clientcomputer; and

FIG. 6 is a block diagram of an illustrative embodiment of a generalcomputer system.

DETAILED DESCRIPTION OF THE DRAWINGS

Disclosed herein are embodiments of a digital asset and mediadistribution method and system. Embodiments supportadministrator-configurable, rights-enforcing downloads of digital assetsto client workstations. A central server serves the client workstationsby providing user registration, subscription and management features ofthe media distribution system. Various examples of digital assets, suchas music, movies or electronic books to consumers, secret documents forgovernment employees or fingerprints to authorized law enforcementauthorities, can be distributed to client workstations of registeredusers. Although not discussed in detail herein, embodiments of themethod and system can be used in multi-device environments.

Non-transferable usage rights of a digital asset are enforced on aclient workstation without installing an additional plug-in to theclient workstation. Multiple authentication methods, such as useridentifiers, passwords, smart cards, biometrics or any combinationthereof, may be used to authenticate a user of the client workstationbefore enabling the user to use the digital asset. The usage rights maycomprise a usage period that, when expired, causes deletion ortermination of access to a downloaded digital asset. The digital assetsmay be downloaded to a client workstation in a partially encrypted formto be made unusable if copied to another client workstation.

The embodiments provide portable, non-invasive and broadly-deployablesolutions for distributing digital assets and enforcing rightsassociated therewith. In addition, embodiments of the solutionsdescribed herein are easy to distribute, facilitate ease in definingrights in the form of rules such as an expiration date or a userestriction, are application-independent by enforcing rights ondownloaders and data instead of inside applications, can be adapted formultiple environments (e.g. from consumer applications to high-securitygovernment communications), are applicable to any or substantially anyfile format, do not require a special infrastructure other than astandard operating system on a client side, use an encryption approachthat minimizes or otherwise reduces overhead for larger files such asmovie files, can use multiple authentication methods (e.g. smart cards,biometric, passwords) and multiple levels of authentication (e.g. fromsimple to sophisticated), can have a client-server modular architecture,and can have centralized account management to manage downloads ofassets, payments, billing and auditing. Thus, embodiments of thesolutions may be both light-weight and universal.

Embodiments are described with reference to FIGS. 1 and 2 which showembodiments of a method and system, respectively, to distribute digitalassets and enforce rights associated with the digital assets. Asindicated by block 10, a user 12 uses a client computer 14 to create anaccount for receiving and using one or more digital assets. The user 12may enter or select parameters that limit the usage of the account. Forexample, the account may have a limited number of downloads associatedtherewith, and/or a limited time period (e.g. a limited number of days)that the account is to be active. The user 12 may enter paymentinformation associated with the account so that the user 12 can becharged for downloads. The information associated with the account isstored in a database 16 of a server computer system 18 whose operationis directed by at least one processor 19. In addition to userregistration management, the server computer system 18 can performcontent subscription acts.

Although the herein description is made with reference to a single userat a single client computer, the method and system can be used formultiple users at multiple different client computers.

After the account has been successfully created, one or more clientcomponents 20 are downloaded to the client computer 14 as indicated byblock 22. For example, after determining that the account issuccessfully created, the server computer system 18 may automaticallyredirect the client computer 14 to a download page at which the one ormore client components 20 can be downloaded by the user 12. The servercomputer system 18 outputs the one or more client components 20 to theclient computer 14 from at least one port 23 via a computer network.Examples of the computer network include, but are not limited to, theInternet, an intranet and an extranet. The one or more client components20 may comprise an encrypted user profile 24, a downloader component 26and a file management component 30.

As indicated by block 32, the one or more client components 20 areinstalled to the client computer 14. The one or more client components20 are used by the client computer 14 to subsequently download and usedigital assets in accordance with the account.

The downloader component 26 is used by the client computer 14 tosubsequently download encrypted versions of digital assets, such asencrypted files. Examples of the digital assets are numerous. Specificexamples of the digital assets include, but are not limited to, music,movies, secret documents, confidential documents, and fingerprints. Inan embodiment, the downloader component 26 comprises a Java engine. Thefiles may be encrypted using partial encryption or striped encryption sothat large amounts of data, such as in a digital movie file, can beprotected without significant overhead. In some environments wherehigher security is desired, the files may be fully encrypted.

The encrypted user profile 24 contains one or more encryption keys 34for decrypting the encrypted digital assets that were downloaded by thedownloader component 26. The encrypted user profile 24 for the user 12can be stored in a file system 36 of the client computer 14.Alternatively, the encrypted user profile 24 can be stored in a smartcard 40 or an alternative computer-readable storage medium that isremovable from the client computer 14. The encrypted user profile 24 maybe stored in the file system 36 if the user 12 elects not to issue thesmart card 40. The one or more encryption keys 34 may be usable inresponse to the user 12 entering a valid user identifier and/or passcodeto the client computer 14, and/or in response to a detecting particularbiometric feature(s) of the user 12. For example, the user 12 may submita fingerprint when enrolling in the system. The fingerprint is usable tounlock the encrypted user profile 24 from either the file system 36 orthe smart card 40.

The file management component 30 uses any of the encryption keys 34 inthe user profile 24 to decrypt the encrypted digital assets downloadedby the downloader component 26 to produce a digital content item. Thefile management component 30 makes the digital content item usable bythe client computer 14 when usage is allowed based on one or more termsassociated with the digital content item. The terms may be based on alimited number of uses, a limited usage period, limitations on sharingthe digital content item with other users, or any combination thereof.For example, consider the user 12 being a support consultant and thedigital content item being a customer's confidential financial document.In this example, the terms may permit the support consultant to open thecustomer's confidential financial document only once (or alternatively,another limited number of times). In another example, consider the user12 being a government employee and the digital content item being aconfidential report. In this example, the terms may give the governmentemployee access to the confidential report, but prohibit the governmentemployee from emailing or otherwise sharing the confidential report (oralternatively, limit to whom the confidential report can be shared).

As indicated by block 42, the downloader component 26 is used todownload an encrypted file 44 to the client computer 14. In anembodiment, the downloader component 26 is usable by the client computer14 to download only the encrypted file 44 and optionally at least onecomponent associated with the encrypted file 44. The server computersystem 18 cooperates with the downloader component 26 to output theencrypted file 44 to the client computer 14 via the computer network.The encrypted file 44 is stored, at least temporarily, by the clientcomputer 14 or a computer-readable medium associated therewith. Theencrypted file 44 may be stored in the file system 36.

As indicated by block 46, either the user 12 or another user attempts touse the encrypted file 44. The attempt to use the encrypted file 44 maybe within the context of an application program 50. However, the termsof usage of the encrypted file 44 are not enforced inside theapplication program 50, but rather by the file management component 30.

As indicated by block 52, an act of authenticating the user 12 may berequired before the encrypted file 44 is made usable. The user 12 can beauthenticated by entering a user identifier and/or passcode that is thesame as that stored in encrypted user profile 24 (e.g. from either thesmart card 40 or the file system 36). Either as an alternative to or inaddition to the user identifier/passcode, one or more biometric featuresof the user 12 may be required to authenticate the user. For example,the user profile 24 stored on the smart card 40 may be unlocked based ona fingerprint of the user 12 being validated. Although different methodsof authentication can be used, this disclosure focuses on strong ormulti-factor authentication. For example, the multiple factors caninclude a personal identification number (PIN) and a password, or a PINand a biometric identifier. The following acts presume that the user 12has been successfully authenticated.

As indicated by block 54, the file management component 30 determines ifusage of the encrypted file 44 is allowed based on its associated one ormore terms. In an embodiment, the file management component 30 is usableby the client computer 14 to manage usage of only the encrypted file 44and optionally at least one component associated with the encrypted file44.

If usage of the encrypted file 44 is disallowed based on its associatedone or more terms, the encrypted file 44 is prohibited from being usedby the client computer 14, as indicated by block 56. The file managementcomponent 30 may automatically delete the encrypted file 44 upondetermining that its usage is disallowed. Alternatively, the filemanagement component 30 may terminate access to the encrypted file 44(e.g. by disallowing decryption thereof) upon determining that its usageis disallowed.

If usage of the encrypted file is allowed, the client computer 14decrypts the encrypted file 44 using one or more of the encryption keys34 in the user profile 24, as indicated by block 58. In an embodiment,the user profile 24 is usable by the client computer 14 to decrypt onlythe encrypted file 44 and optionally at least one component associatedwith the encrypted file 44. Once decrypted, a resulting digital contentitem is directed to a viewer to enable the user 12 to use the digitalcontent item, as indicated by block 60. For example, the digital contentitem can be directed to the application program 50 to enable theapplication program 50 to use the digital content item. Although theencrypted file 44 is stored by the file system 36, the decrypted digitalcontent item is not stored as a file in the file system 36. Thismitigates a potential for unauthorized use of copies of the encryptedfile 44.

Flow of the method can return to block 46 to process one or moresubsequent attempts to use the encrypted file 44. Those of thesubsequent attempts that are allowed by the usage terms associated withthe encrypted file 44 result in making the encrypted file 44 usable tothe user 12. The encrypted file 44 is made unusable if its usage is notallowed based on the usage terms.

Flow of the method can return to block 10 to process one or moresubsequent downloads of one or more other encrypted files. In general,the terms of usage for a subsequent download may be either the same asor may differ from the download of the encrypted file 44. Theabove-described acts are repeated for downloading, decrypting, using,and enforcing the terms of usage on the one or more other files. Some orall of the client components 20 that were downloaded for the encryptedfile 44 are associated with and usable only with the encrypted file 44and not with the one or more other encrypted files. Thus, for eachsubsequent digital asset that is to be downloaded as a subsequentencrypted file, any combination of a subsequent user profile, asubsequent downloader component, and a subsequent file managementcomponent may be generated and downloaded to the client computer 14. Thesubsequent user profile, the subsequent downloader component, and thesubsequent file management component are usable only with its associatedsubsequent encrypted file.

In the aforementioned embodiment, the client computer 14 stores thedownloaded objects (e.g. including the encrypted file 44) at leasttemporarily, and also stores information about its use, user(s), userrights and connections. In alternative embodiments, some or all of thefunctionality executed on the client computer 14 can be performed by aserver gateway. These alternative embodiments may be used in situationswere storing confidential information, including authentication andcredential validation information, on the client computer 14 is notpossible or not desirable.

Further in the aforementioned embodiment, the downloader component 26 isa proprietary downloader, that includes scripts and configuration filesto regulate partial encryptions of the encrypted file 44 and eliminationof the file after a usage period has ended, to provide an additionalsecurity feature. In alternative embodiments, a standard downloadingprotocol such as file transfer protocol (FTP) may be used with a genericdownloader.

FIG. 3 is a block diagram of file management features associated witheach downloadable file. A download-file feature 80 comprises copying anencrypted file, an encrypted profile and one or more file managementprograms from the server computer system 18 to the client computer 14.An open-file-from-link feature 82 comprises executing a batch program toopen the encrypted file from a link (e.g. a hyperlink), authenticatingthe user 12, getting a decryption key based on said authenticating,decrypting the encrypted file based on the decryption key, and openingthe file in an appropriate viewer program. An open-file-from-file-systemfeature 84 comprises executing a batch program to open the encryptedfile stored in the file system 36, authenticating the user 12, getting adecryption key based on said authenticating, and opening the file in anappropriate viewer program. An expire-file feature 86 comprisesexecuting a batch program to open the encrypted file, authenticating theuser 12, checks a time stamp, and deletes the encrypted file if theusage of the encrypted file has expired based on the time stamp.

FIG. 4 is a block diagram of an embodiment of components of the servercomputer system 18. The server computer system 18 comprises a Web server100. In an embodiment, the Web server 100 comprises an IIS 5.x server.The server computer system 18 further comprises a connect server 102having server-side components to interact with components installed atthe client-side. An account database 104 stores user records ascomputer-readable data encoded on computer-readable media. An enrollmentdatabase 106 stores user biometric information as computer-readable dataencoded on computer-readable media. The server computer system 18further comprises files 110 that are to be copied to the client computer14 during installation. The files 110 comprise an encrypted customerprofile 112, file management programs 114, and an installer program 116.The server computer system 18 further comprises files 122 that are to bedownloaded to the client computer 14 after installation of the files110. The files 122 are downloaded to the client computer 14 according toa subscription associated with the client computer 14 or its user.

FIG. 5 is a block diagram of an embodiment of components of the clientcomputer 14. The embodiment may use an NDM protocol that is initiatedand controlled from a Web browser 130 of the client computer 14.Although illustrated to use ActiveX objects, non-ActiveX embodiments arealso within the scope of this disclosure. The client computer 14comprises the files 110 downloaded from the server computer system 18.The client computer 14 may use a smart card reader 132 and/or abiometric reader/scanner 134 to authenticate the user 12 and thus permituse of the downloaded files 122. Once the user 12 is authenticated, thefiles 122, which are downloaded as encrypted files (e.g. .enc files),can be opened with the file management programs 114. The client computer14 may use one or more drivers 136 to enable use of the files 122. Aprocessor 140 directs the cooperation between the aforementionedelements.

For purposes of illustration and example, consider an embodiment of themethod and system being applied by a computer game server to distributecomputer gaming software. The embodiment provides a distribution modelthat thwarts users from copying and redistributing the computer gamingsoftware without making significant changes to the computer gamingsoftware.

The user 12 creates an account that allows him/her to rent one or morecomputer games for a few days. Thereafter, the user 12 downloads aclient component to the client computer 14. The client component is usedto download an encrypted user profile, one or more computer gamesoftware files, and one or more programs to decrypt and expire thefiles. The downloaded game files are encrypted with a key protected witha user identifier and a password. Thus, the downloaded game files cannotbe opened without authentication by the user 12. Further, unauthorizedcopies of the downloaded game files cannot be reused without decryption.

The user 12 can use the downloaded computer game software files for afew days to assess their attractiveness. Thereafter, the user 12 maywish to purchase longer-term use of those of the computer game softwarefiles that he/she deems of interest.

Embodiments of the method and system can be used in many differentpractical applications, including but not limited to financialapplications, government applications, education applications,entertainment applications, telecommunication applications, and softwareapplications. Examples of financial applications include, but are notlimited to, financial statement delivery, check image delivery, onlinebilling and bill presentation, customer support, delivery of creditreports to customers, confidential merger and acquisition activities,and training for new online banking applications. Examples of governmentapplications include, but are not limited to, confidential reportdistribution, identity verification information, confidential documentdelivery (e.g. federal application for student assistance, FAFSA, or taxfilings), intelligence information sharing, and distribution of trainingfor systems requiring a security clearance. Examples of educationapplications include, but are not limited to, performance and reportcard delivery, tests and quizzes, and collaboration-based work. Examplesof entertainment applications include, but are not limited to,downloading and protecting entertainment content (e.g. movies, music,games or electronic books), and downloading and distributing exclusivecontent. Examples of telecommunication applications include, but are notlimited to, delivery of bills to customers, delivery of software updatesfor Internet subscribers, call center operations such as delivery ofsupporting information, and credit checking and authorization. Examplesof software applications include, but are not limited to, softwaredistribution, distribution of software updates and/or patches, deliveryof beta test software to select groups, and delivery of manuals and/ortraining materials.

Object delivery combined with management after delivery is afunctionality that is useful in conjunction with various softwaremodules and systems. Examples of the various software modules andsystems include media production software and systems, secure emailsoftware and systems, and viewer security plug-ins or alternativesecurity policy enforcement software and systems.

Some benefits of embodiments disclosed herein include: providingmultiple authentication mechanisms, supporting potentially complex usagerules (e.g. not just timing out), supporting potentially complex accountstructures, including DRM elements to thwart use if a captured file iscopied to a different device, allowing developers to embed rules andconfigurations with the downloader to adapt for various security models,enabling users to download a downloader with embedded rules includingauthentication before downloading an object, supporting multiple modelsand processes for downloading (from media files distribution to thedistribution of secure reports or confidential customer information, andfrom one-time use to long-term subscription and permanent access),protecting objects and/or their components themselves rather thanplayback thereof through particular application programs, assigningrights to objects or their components prior to display in any program,using partial encryption to encrypt either portions or stripes of a filein order to enhance performance, including the downloader with thedistribution in order to block repeat download actions, and making anencryption key, rules of use, and authentication available with adownloader and an object when the object is purchased or whenauthorization is obtained.

Referring to FIG. 6, an illustrative embodiment of a general computersystem is shown and is designated 600. The computer system 600 caninclude a set of instructions that can be executed to cause the computersystem 600 to perform any one or more of the methods or computer basedfunctions disclosed herein. The computer system 600 may operate as astandalone device or may be connected, e.g., using a network, to othercomputer systems or peripheral devices.

In a networked deployment, the computer system may operate in thecapacity of a server or as a client user computer in a server-clientuser network environment, or as a peer computer system in a peer-to-peer(or distributed) network environment. The computer system 600 can alsobe implemented as or incorporated into various devices, such as apersonal computer (PC), a tablet PC, a set-top box (STB), a personaldigital assistant (PDA), a mobile device, a palmtop computer, a laptopcomputer, a desktop computer, a communications device, a wirelesstelephone, a land-line telephone, a control system, a camera, a scanner,a facsimile machine, a printer, a pager, a personal trusted device, aweb appliance, a network router, switch or bridge, or any other machinecapable of executing a set of instructions (sequential or otherwise)that specify actions to be taken by that machine. In a particularembodiment, the computer system 600 can be implemented using electronicdevices that provide voice, video or data communication. Further, whilea single computer system 600 is illustrated, the term “system” shallalso be taken to include any collection of systems or sub-systems thatindividually or jointly execute a set, or multiple sets, of instructionsto perform one or more computer functions.

As illustrated in FIG. 6, the computer system 600 may include aprocessor 602, e.g., a central processing unit (CPU), a graphicsprocessing unit (GPU), or both. Moreover, the computer system 600 caninclude a main memory 604 and a static memory 606, that can communicatewith each other via a bus 608. As shown, the computer system 600 mayfurther include a video display unit 610, such as a liquid crystaldisplay (LCD), an organic light emitting diode (OLED), a flat paneldisplay, a solid state display, or a cathode ray tube (CRT).Additionally, the computer system 600 may include an input device 612,such as a keyboard, and a cursor control device 614, such as a mouse.The computer system 600 can also include a disk drive unit 616, a signalgeneration device 618, such as a speaker or remote control, and anetwork interface device 620.

In a particular embodiment, as depicted in FIG. 6, the disk drive unit616 may include a computer-readable medium 622 in which one or more setsof instructions 624, e.g. software, can be embedded. Further, theinstructions 624 may embody one or more of the methods or logic asdescribed herein. In a particular embodiment, the instructions 624 mayreside completely, or at least partially, within the main memory 604,the static memory 606, and/or within the processor 602 during executionby the computer system 600. The main memory 604 and the processor 602also may include computer-readable media.

In an alternative embodiment, dedicated hardware implementations, suchas application specific integrated circuits, programmable logic arraysand other hardware devices, can be constructed to implement one or moreof the methods described herein. Applications that may include theapparatus and systems of various embodiments can broadly include avariety of electronic and computer systems. One or more embodimentsdescribed herein may implement functions using two or more specificinterconnected hardware modules or devices with related control and datasignals that can be communicated between and through the modules, or asportions of an application-specific integrated circuit. Accordingly, thepresent system encompasses software, firmware, and hardwareimplementations.

In accordance with various embodiments of the present disclosure, themethods described herein may be implemented by software programsexecutable by a computer system. Further, in an exemplary, non-limitedembodiment, implementations can include distributed processing,component/object distributed processing, and parallel processing.Alternatively, virtual computer system processing can be constructed toimplement one or more of the methods or functionality as describedherein.

The present disclosure contemplates a computer-readable medium thatincludes instructions 624 or receives and executes instructions 624responsive to a propagated signal, so that a device connected to anetwork 626 can communicate voice, video or data over the network 626.Further, the instructions 624 may be transmitted or received over thenetwork 626 via the network interface device 620.

While the computer-readable medium is shown to be a single medium, theterm “computer-readable medium” includes a single medium or multiplemedia, such as a centralized or distributed database, and/or associatedcaches and servers that store one or more sets of instructions. The term“computer-readable medium” shall also include any medium that is capableof storing, encoding or carrying a set of instructions for execution bya processor or that cause a computer system to perform any one or moreof the methods or operations disclosed herein.

In a particular non-limiting, exemplary embodiment, thecomputer-readable medium can include a solid-state memory such as amemory card or other package that houses one or more non-volatileread-only memories. Further, the computer-readable medium can be arandom access memory or other volatile re-writable memory. Additionally,the computer-readable medium can include a magneto-optical or opticalmedium, such as a disk or tapes or other storage device to capturecarrier wave signals such as a signal communicated over a transmissionmedium. A digital file attachment to an e-mail or other self-containedinformation archive or set of archives may be considered a distributionmedium that is equivalent to a tangible storage medium. Accordingly, thedisclosure is considered to include any one or more of acomputer-readable medium or a distribution medium and other equivalentsand successor media, in which data or instructions may be stored.

Although the present specification describes components and functionsthat may be implemented in particular embodiments with reference toparticular standards and protocols, the invention is not limited to suchstandards and protocols. For example, standards for Internet and otherpacket switched network transmission (e.g., TCP/IP, UDP/IP, HTML, HTTP)represent examples of the state of the art. Such standards areperiodically superseded by faster or more efficient equivalents havingessentially the same functions. Accordingly, replacement standards andprotocols having the same or similar functions as those disclosed hereinare considered equivalents thereof.

The illustrations of the embodiments described herein are intended toprovide a general understanding of the structure of the variousembodiments. The illustrations are not intended to serve as a completedescription of all of the elements and features of apparatus and systemsthat utilize the structures or methods described herein. Many otherembodiments may be apparent to those of skill in the art upon reviewingthe disclosure. Other embodiments may be utilized and derived from thedisclosure, such that structural and logical substitutions and changesmay be made without departing from the scope of the disclosure.Additionally, the illustrations are merely representational and may notbe drawn to scale. Certain proportions within the illustrations may beexaggerated, while other proportions may be minimized. Accordingly, thedisclosure and the figures are to be regarded as illustrative ratherthan restrictive.

One or more embodiments of the disclosure may be referred to herein,individually and/or collectively, by the term “invention” merely forconvenience and without intending to voluntarily limit the scope of thisapplication to any particular invention or inventive concept. Moreover,although specific embodiments have been illustrated and describedherein, it should be appreciated that any subsequent arrangementdesigned to achieve the same or similar purpose may be substituted forthe specific embodiments shown. This disclosure is intended to cover anyand all subsequent adaptations or variations of various embodiments.Combinations of the above embodiments, and other embodiments notspecifically described herein, will be apparent to those of skill in theart upon reviewing the description.

The Abstract of the Disclosure is provided to comply with 37 C.F.R.§1.72(b) and is submitted with the understanding that it will not beused to interpret or limit the scope or meaning of the claims. Inaddition, in the foregoing Detailed Description, various features may begrouped together or described in a single embodiment for the purpose ofstreamlining the disclosure. This disclosure is not to be interpreted asreflecting an intention that the claimed embodiments require morefeatures than are expressly recited in each claim. Rather, as thefollowing claims reflect, inventive subject matter may be directed toless than all of the features of any of the disclosed embodiments. Thus,the following claims are incorporated into the Detailed Description,with each claim standing on its own as defining separately claimedsubject matter.

The above disclosed subject matter is to be considered illustrative, andnot restrictive, and the appended claims are intended to cover all suchmodifications, enhancements, and other embodiments which fall within thetrue spirit and scope of the present invention. Thus, to the maximumextent allowed by law, the scope of the present invention is to bedetermined by the broadest permissible interpretation of the followingclaims and their equivalents, and shall not be restricted or limited bythe foregoing detailed description.

1. A method comprising: outputting a first downloader component to aclient computer, the first downloader component to enable the clientcomputer to download a first encrypted file; after said outputting thefirst downloader component, cooperating with the first downloadercomponent to output the first encrypted file to the client computer;outputting a first user profile to the client computer, the first userprofile containing a first key to decrypt the first encrypted file intoa first digital content item; and outputting a first file managementcomponent to manage usage of the first encrypted file at the clientcomputer based on one or more terms of usage associated with the firstencrypted file.
 2. The method of claim 1 further comprising: outputtinga second downloader component to the client computer, the seconddownloader component to enable the client computer to download a secondencrypted file; after said outputting the second downloader component,cooperating with the second downloader component to output the secondencrypted file to the client computer; outputting a second user profileto the client computer, the second user profile containing a second keyto decrypt the second encrypted file into a second digital content item;and outputting a second file management component to manage usage of thesecond encrypted file at the client computer based on one or more termsof usage associated with the second encrypted file.
 3. The method ofclaim 1 wherein the first downloader component is usable by the clientcomputer to download only the first encrypted file.
 4. The method ofclaim 1 wherein the first user profile is usable by the client computerto decrypt only the first encrypted file.
 5. The method of claim 1wherein the first file management component is usable by the clientcomputer to manage usage of only the first encrypted file.
 6. The methodof claim 1 wherein the first downloader component is usable by theclient computer to download only the first encrypted file and at leastcomponent associated with the first encrypted file.
 7. The method ofclaim 1 wherein the first user profile is usable by the client computerto decrypt only the first encrypted file and at least one componentassociated with the first encrypted file.
 8. The method of claim 1wherein the first file management component is usable by the clientcomputer to manage usage of only the first encrypted file and at leastone component associated with the first encrypted file.
 9. The method ofclaim 1 wherein the first file management component comprise computerprogram code to cause the client computer to determine if usage of thefirst encrypted file is allowed based on its associated one or moreterms of usage, to direct the first digital content item to anapplication program if the usage is allowed, and to prohibit usage ofthe first encrypted file if the usage is not allowed.
 10. The method ofclaim 9 wherein the associated one or more terms of usage are notenforced by the application program.
 11. A system comprising: a servercomputer system comprising at least one processor and at least one port,the at least one port to: output a first downloader component to aclient computer, the first downloader component to enable the clientcomputer to download a first encrypted file; after outputting the firstdownloader component, cooperate with the first downloader component tooutput the first encrypted file to the client computer; output a firstuser profile to the client computer, the first user profile containing afirst key to decrypt the first encrypted file into a first digitalcontent item; and output a first file management component to manageusage of the first encrypted file at the client computer based on one ormore terms of usage associated with the first encrypted file.
 12. Thesystem of claim 11 wherein the server computer system is furtherprogrammed to: output a second downloader component to the clientcomputer, the second downloader component to enable the client computerto download a second encrypted file; after outputting the seconddownloader component, cooperate with the second downloader component tooutput the second encrypted file to the client computer; output a seconduser profile to the client computer, the second user profile containinga second key to decrypt the second encrypted file into a second digitalcontent item; and output a second file management component to manageusage of the second encrypted file at the client computer based on oneor more terms of usage associated with the second encrypted file. 13.The system of claim 11 wherein the first downloader component is usableby the client computer to download only the first encrypted file. 14.The system of claim 11 wherein the first user profile is usable by theclient computer to decrypt only the first encrypted file.
 15. The systemof claim 11 wherein the first file management component is usable by theclient computer to manage usage of only the first encrypted file. 16.The system of claim 11 wherein the first downloader component is usableby the client computer to download only the first encrypted file and atleast component associated with the first encrypted file.
 17. The systemof claim 11 wherein the first user profile is usable by the clientcomputer to decrypt only the first encrypted file and at least onecomponent associated with the first encrypted file.
 18. The system ofclaim 11 wherein the first file management component is usable by theclient computer to manage usage of only the first encrypted file and atleast one component associated with the first encrypted file.
 19. Thesystem of claim 11 wherein the first file management component comprisecomputer program code to cause the client computer to determine if usageof the first encrypted file is allowed based on its associated one ormore terms of usage, to direct the first digital content item to anapplication program if the usage is allowed, and to prohibit usage ofthe first encrypted file if the usage is not allowed.
 20. The system ofclaim 19 wherein the associated one or more terms of usage are notenforced by the application program.
 21. A computer-readable mediumhaving computer-readable program code to cause a server computer systemto: output a first downloader component to a client computer, the firstdownloader component to enable the client computer to download a firstencrypted file; after outputting the first downloader component,cooperate with the first downloader component to output the firstencrypted file to the client computer; output a first user profile tothe client computer, the first user profile containing a first key todecrypt the first encrypted file into a first digital content item; andoutput a first file management component to manage usage of the firstencrypted file at the client computer based on one or more terms ofusage associated with the first encrypted file.
 22. A method comprising:receiving a first downloader component by a client computer from aserver computer system; using the first downloader component to downloada first encrypted file from the server computer system to the clientcomputer; receiving a first user profile by the client computer from theserver computer system, the first user profile containing a first key;using the first key to decrypt the first encrypted file into a firstdigital content item; receiving a first file management component by theclient computer from the server computer system; and using the firstfile management component to manage usage of the first encrypted file atthe client computer based on one or more terms of usage associated withthe first encrypted file.